Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old March 18th, 2004, 08:57 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Question Something's still hiding

[Previously posted in Windows XP (my mistake!)]

I've been attacked by a bunch of spyware/adware/hijack junk that gave me popups and loaded a bunch of garbage on my computer. At the time I thought, 'no problem, I can clean this up.'

No such luck. After running ad-aware and Spybot S&D as well as a Norton AV scan and a Trend Micro Housecall, I thought it was clean. I rebooted and reran the ad-aware only to find that something had reinstalled itself and there was more garbage. What's more, my browser is slow slow slow when I first start it up. I've cleaned everything I can think of and still I get popups every once in a while, but my machine also bogs right down whenever I try to open a control panel item like internet options or user profiles.

I also get this message popping up that says:

Server Busy
! This action cannot be completed because the other program is busy. Choose Switch To to activate the busy program and correct the problem.

Cancel is greyed out. When I click retry it just comes back.
When I click switch to it opens up the start menu and comes back. I've never seen something like this happen, and I've seen some pretty messed up PCs before. Anyone got any ideas?

Here's my HijackThis Log that I ran just after my most recent cleanup. I'm not sure what could be out of place.

Logfile of HijackThis v1.97.7
Scan saved at 1:19:27 PM, on 18/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wnsintsv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jason\Desktop\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...AB?38059.860625

When I try to shut down I get mshta.exe and iexplore.exe not responding.

AACK what a mess...

Thanks for your help!

--Jason
Reply With Quote
  #2  
Old March 18th, 2004, 10:01 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi,

Have HijackThis FIX:
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

Reboot to Safe Mode and delete:
C:\WINDOWS\System32\wnsintsv.exe

Reboot.

Didn`t an UPDATED adaware or Spybot detect this?
Reply With Quote
  #3  
Old March 18th, 2004, 10:26 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Quote:
Originally Posted by mike
Didn`t an UPDATED adaware or Spybot detect this?
Unfortunately, no. I'm not sure why. I've updates both ad-aware and spybot today (ad-aware defs version 01R270 18.03.2004) and they make no mention of it at all. Thanks!

A little bit of further info that might be helpful:

Whenever I run ad-aware my norton realtime comes up with three trojans that it successfully blocks. They are all Trojan.ByteVerify (as norton calls it) and are found in Ad-Aware 6.0\Cache\VerifierBug.class, Ad-Aware 6.0\Cache\Dummy.class, and Ad-Aware 6.0\Cache\BlackBox.class.

Also, ad-aware always finds three more cookies, even though I don't open my web browser, and they are never the same three. Weird.

I'll try the fix you suggested, mike, and let you know what happens. Thanks!

--Jason
Reply With Quote
  #4  
Old March 18th, 2004, 10:47 PM
Meangean Meangean is offline
Senior Member
 
Join Date: Jan 2004
Location: U.S.A
Age: 36
Posts: 311
also go to the cyber saftey forum which this is in but go to the forum where u can see all the topic go to virus and removal tools and go to startup list and run it and see what starts up on ur computer


maybe there is a program that starts up automatically when u turn on your computer that is causing the problem
Reply With Quote
  #5  
Old March 18th, 2004, 10:58 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
I did what you suggested. It seems to help a little. I don't get the annoying message popping up anymore. My browser is still messed up (it delays opening up like it's really lagging although task manager show the system at idle) and everything seems to still be lagging a bit.

Ad-aware found nothing this time around, and neither did spybot.

Here's my new HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 3:43:11 PM, on 18/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Prime95\prime95.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...B?38059.860625


Thanks again for your help!

--Jason
Reply With Quote
  #6  
Old March 18th, 2004, 11:07 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Quote:
Originally Posted by Meangean
also go to the cyber saftey forum which this is in but go to the forum where u can see all the topic go to virus and removal tools and go to startup list and run it and see what starts up on ur computer


maybe there is a program that starts up automatically when u turn on your computer that is causing the problem
I'm not sure which one exactly you mean. What utility should I use and where can I find it?

Thanks!

--Jason
Reply With Quote
  #7  
Old March 19th, 2004, 07:38 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi killerjay_47,

Meangean was referring to "Startup List".

But it comes with "HJT" ( same author).

Open HJT---Config---Miscellaneous Tools-- Generate Startup List.
Tick on "Generate Startup List" and also tick the two boxes immediately below.
OK the Startup List ...

Empty out all Temp folders for IE, TIF, History, cookies.

no problems , I`m just curious,...but what did you install to
for the C:\WINDOWS\IME\ folders.

Cheers
Reply With Quote
  #8  
Old March 19th, 2004, 04:09 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Quote:
Originally Posted by mike
no problems , I`m just curious,...but what did you install to
for the C:\WINDOWS\IME\ folders.
I believe that is the directory for Japanese character display files. There are a lot of files with jp in the names and everything there has Microsoft IME in the description. I do recall that I installed Asian language support when I installed Windows last, so this could be what it is.

My startup list is too long to post here so you can find it here: http://www.eng.uwaterloo.ca/~jnshirtl/startuplist.txt if it is helpful at all anyways.

I'm curious to know if anyone knows what PHIME2002A and imjpmig8.1 are. And what is Gearsec?

I'm still having speed problems with IE and I'm not sure what's causing them. Ad-aware and Spybot both come back with nothing. Neither Norton nor Trend Micro can find any viruses (I got rid of those three that kept showing up) and still IE lags.

Another note: I've got "Adult Sites" and "Free Adult Content" in my Favorites folder and they weren't there before. They're both folders themselves and there aren't any links in them.

Here's my latest and greatest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:08:46 AM, on 19/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Prime95\prime95.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jason\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...B?38059.860625



Thanks for all your help, any suggestions would be greatly appreciated.

--Jason
Reply With Quote
  #9  
Old March 20th, 2004, 09:27 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi,

Quote:
"I'm curious to know if anyone knows what PHIME2002A and imjpmig8.1 are. And what is Gearsec?"

PHIME2002A and imjpmig8.1 are part of IME-language install ( that I asked about )

Gearsec is for DVD and CD recording .

2.
Please goto :
C:\WINDOWS\System32\drivers\etc\hosts
and copy/paste the contents of "hosts" back to this thread.

3.
Open HJT, close everything else.

FIX the below entry:

O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts

Close HJT.

Reboot.

Cheers.

Last edited by mike; March 20th, 2004 at 09:30 AM.
Reply With Quote
  #10  
Old March 22nd, 2004, 04:11 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Here's what was in my hosts file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy




And here's what was in a file in the same directory called hosts.20040318-095159.backup (which sorta indicates to me that this was already fixed by spybot or something else; note that it has autosearch stuff that isn't in the one above)


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


auto.search.msn.com
ieautosearch
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy



Interestingly enough, the hosts location entry does not show up in the HJT log anymore, which I have included here:


Logfile of HijackThis v1.97.7
Scan saved at 8:59:07 AM, on 22/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Prime95\prime95.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...B?38059.860625



My browser still lags horribly. When I double click the icon it usually takes a couple of minutes to open on a machine that normally opens it almost instantly.

I'm just grabbing at strings here, but can you tell me for sure that the 'O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx' is legit? I don't know for sure.

And I could be wrong on this so could someone verify that Viewpoint media player is the one that comes with Netscape because it's in my installed programs list.

Thanks for all your help.

--Jason
Reply With Quote
  #11  
Old March 22nd, 2004, 09:14 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi,
Two things to try.

Download CWShredder from:
www.zerosrealm.com/downloads/CWShredder.zip

Unzip, and Open CWShredder and click on the Fix button to find and fix any problems.

How to stop CWS infection...read the information when you click "Next" at the end of running CWShredder.


Reboot Computer

See if that helps.

2.
Free online scan from Panda:
http://www.pandasoftware.com/activescan/

Cheers
Reply With Quote
  #12  
Old March 22nd, 2004, 11:34 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Thanks for the idea. I had already run CWShredder but I updated it and ran it again. It didn't find anything.

As far as the Panda Scan is concerned, their website is down and or overloaded at the moment and I can't run the scan. Is it much different than the Trend Micro Housecall scan?

This is frustrating. There doesn't appear to be anything wrong but things aren't working right. I may just go with a clean wipe of my hard drive. I only recently reloaded it so I won't be losing much except my time reinstalling everything. ARGH! Any more ideas are still much appreciated. If it isn't resolved by Friday I'm spending the weekend reformatting and reinstalling everything.

Thanks for your time!

--Jason
Reply With Quote
  #13  
Old March 23rd, 2004, 12:55 PM
dammit's Avatar
dammit dammit is offline
Rampant Rabbit
 
Join Date: Dec 2002
Location: New York/Paris/Milan/pie country
Age: 22
Posts: 11,532
Hi...do you use Apple's iTunes for Windows at all? If not it's a bit of a hog to have running. Uses ~3-4MB of memory

C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

Just a thought.
Reply With Quote
  #14  
Old March 23rd, 2004, 01:56 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi Jason - Go here and download and run Killbox (not the beta for now).

Unzip to a new folder and doubleclick on KillBox.exe to run the program. Check all three Options:

Create a backup before deleting file.
Create a Killbox Session Log.
Enable msg121.dll option.

Next, go to "Find" and select "Find msg[].dll. Click on "File" > "Create Log" and post it back in this thread. Close all open windows and then run Killbox again (re-enable all three options). Go to "Find" and select "Find (use KillBox INI). Click on "File" > "Create Log" and post it back in this thread. Do not make any changes without advice from an expert. To do so, could cripple your OS.
Reply With Quote
  #15  
Old March 23rd, 2004, 03:57 PM
killerjay_47 killerjay_47 is offline
New Member
 
Join Date: Mar 2004
Age: 38
Posts: 11
Quote:
Originally Posted by dammit
Hi...do you use Apple's iTunes for Windows at all?
Yes, I do use it. But that shouldn't matter that much cause I have 512MB of RAM and opening a browser window to about:blank as my home page should not require too much more memory. (Windows!) Thanks for the tip, though.


Here's the Killbox log for 'Find msg[].dll'

Log for KillBox ver.2.0.1
--------------------------

---msg{}dll search---
C:\WINDOWS\System32\msgina.dll
C:\WINDOWS\System32\msgsvc.dll
C:\WINDOWS\System32\Msgsys.dll
C:\WINDOWS\System32\dllcache\msgina.dll
C:\WINDOWS\System32\dllcache\msgr3en.dll
C:\WINDOWS\System32\dllcache\msgrocm.dll
C:\WINDOWS\System32\dllcache\msgsvc.dll
C:\WINDOWS\System32\Setup\msgrocm.dll


The 'Find (use Killbox INI)' didn't find anything at all.

I tried the Panda scan again and it ran into a download error twice so I quit.

Thanks for your ideas and time.

--Jason
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Hiding Members lufbra Comments & Suggestions 6 January 26th, 2022 05:00 PM
ip hiding Yusef Yahya Windows XP 5 October 31st, 2006 05:06 AM
Hiding files ram_rect Windows 98 2 March 6th, 2005 04:31 PM
Something's still hiding killerjay_47 Windows XP 2 March 19th, 2004 05:08 PM
Something still hiding kfulcher Malware Removal 6 January 25th, 2004 07:11 PM


All times are GMT +1. The time now is 02:23 PM.